[FOLIO-2286] X-Okapi-Module-Tokens response header providing access to unauthenticated users Created: 25/Sep/19  Updated: 03/Jun/20  Resolved: 26/Sep/19

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P1
Reporter: Craig McNally Assignee: Jakub Skoczen
Resolution: Done Votes: 0
Labels: q3.2-2019, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
is blocked by OKAPI-764 X-Okapi-Module-Tokens revealed in res... Closed
Relates
relates to FOLIO-2287 Valid X-Okapi-Token (with permissions... Closed
Sprint: CP: sprint 73
Development Team: Core: Platform

 Description   

Overview

The X-Okapi-Module-Tokens response header is being returned when making calls to endpoints which have modulePermissions defined. This header includes an token which can be used like an X-Okapi-Token granting access without ever authenticating.

Reproducer

Make a call w/o specifying an X-Okapi-Token to an endpoint which has modulePermissions - NOTE that an X-Okapi-Token isn't provided here...:

$ curl $OKAPI/circulation/loans -H "X-okapi-tenant: diku" -v -w'\n'
*   Trying 52.72.80.49...
* Connected to folio-testing-okapi.aws.indexdata.com (52.72.80.49) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: *.aws.indexdata.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: CN=*.aws.indexdata.com
* 	 start date: Thu, 23 May 2019 00:00:00 GMT
* 	 expire date: Tue, 23 Jun 2020 12:00:00 GMT
* 	 issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon
* 	 compression: NULL
* ALPN, server accepted to use http/1.1
> GET /circulation/loans HTTP/1.1
> Host: folio-testing-okapi.aws.indexdata.com
> User-Agent: curl/7.47.0
> Accept: */*
> X-okapi-tenant: diku
> 
< HTTP/1.1 403 Forbidden
< Date: Wed, 25 Sep 2019 21:24:33 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Okapi-Module-Tokens: {"mod-circulation-17.0.0-SNAPSHOT.383":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJVTkRFRklORURfVVNFUl9fMTAuMzYuMS45NTo0NTk3OF9fMjAxOS0wOS0yNVQyMToyNDozMy4yNjcrMDAwMCIsIm1vZHVsZSI6Im1vZC1jaXJjdWxhdGlvbi0xNy4wLjAtU05BUFNIT1QuMzgzIiwiZXh0cmFfcGVybWlzc2lvbnMiOlsibW9kcGVybXMuY2lyY3VsYXRpb24ubG9hbnMuY29sbGVjdGlvbi5nZXQiXSwicmVxdWVzdF9pZCI6IjE5MDk5N1wvY2lyY3VsYXRpb24iLCJ0ZW5hbnQiOiJkaWt1In0.sGQCtHxwNNi3gSWZctCULRHiHx3O4Sq2xJoT1i64jYw","_":"eyJhbGciOiJIUzI1NiJ9.eyJkdW1teSI6dHJ1ZSwic3ViIjoiVU5ERUZJTkVEX1VTRVJfXzEwLjM2LjEuOTU6NDU5NzhfXzIwMTktMDktMjVUMjE6MjQ6MzMuMjY3KzAwMDAiLCJyZXF1ZXN0X2lkIjoiMTkwOTk3XC9jaXJjdWxhdGlvbiIsInRlbmFudCI6ImRpa3UifQ.w1t8bHOzlAd5EOYeLBOjU8DW9A0DgjvJqVrkds_Ha7U"}
< X-Okapi-Trace: GET mod-authtoken-2.3.0-SNAPSHOT.56 http://10.36.1.95:9132/circulation/loans : 403 3207us
< 
* Connection #0 to host folio-testing-okapi.aws.indexdata.com left intact
Access requires permission: circulation.loans.collection.get

The 403 response makes sense except for the X-Okapi-Module-Tokens header... when decoded, this particular call gives a token providing the following permissions:

modperms.circulation.loans.collection.get

which expands to a very long list:

[
        "circulation-storage.loans.collection.get",
        "circulation-storage.loan-policies.item.get",
        "circulation-storage.loan-policies.collection.get",
        "inventory-storage.items.item.get",
        "inventory-storage.items.collection.get",
        "inventory-storage.locations.item.get",
        "inventory-storage.locations.collection.get",
        "inventory-storage.location-units.institutions.item.get",
        "inventory-storage.location-units.campuses.item.get",
        "inventory-storage.location-units.libraries.item.get",
        "inventory-storage.location-units.libraries.collection.get",
        "inventory-storage.holdings.collection.get",
        "inventory-storage.holdings.item.get",
        "inventory-storage.instances.collection.get",
        "inventory-storage.instances.item.get",
        "inventory-storage.material-types.collection.get",
        "inventory-storage.material-types.item.get",
        "inventory-storage.service-points.collection.get",
        "inventory-storage.service-points.item.get",
        "users.collection.get",
        "users.item.get",
        "inventory-storage.locations.collection.get",
        "accounts.collection.get",
        "usergroups.collection.get",
        "usergroups.item.get"
      ]

The recent fix for RMB-478 Closed appears to fix this, but modules will need to upgrade to a version of RMB that has this fix, and re-release.



 Comments   
Comment by Craig McNally [ 25/Sep/19 ]

We verified that RMB-478 Closed helps by locally updating mod-orders to use RMB 27.1.1. This appears to solve the problem.

Unfortunately, I doubt all modules affected by this are in a position to simply upgrade to the latest RMB version.

Comment by Jakub Skoczen [ 26/Sep/19 ]

EDITED

Craig McNally Adam Dickmeiss

AFAIK, this problem is only exploitable locally (when making direct calls to the module) hence not as critical as FOLIO-2287 Closed which can be exploited by a remote attacker to gain access to the system. I would not consider it a release blocker then, what do you think Craig McNally?

We will expedite the fix anyway through OKAPI-763 Closed , to avoid blocking it on RMB upgrades across all modules (which should be done anyway).

Comment by Jakub Skoczen [ 26/Sep/19 ]

Craig McNally have you tried using the leaked tokens to call an API in FOLIO?

Comment by Jakub Skoczen [ 26/Sep/19 ]

Craig McNally Adam Dickmeiss Ok, I've verfied that is also a remote exploit. I won't be posting full repro steps here.

Comment by Adam Dickmeiss [ 26/Sep/19 ]

This should be solved by OKAPI-764 Closed . X-Okapi-Module-Tokens is an internal request header (never response).

Comment by Jakub Skoczen [ 26/Sep/19 ]

Verified by Craig McNally

Generated at Thu Feb 08 23:19:34 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.